CVE-2025-61687

Name of the Vulnerable Software and Affected Versions Flowise version 3.0.7

Description Flowise, a drag & drop user interface for building customized large language model flows, contains a file upload issue. Authenticated users can upload arbitrary files without proper validation, enabling attackers to persistently store malicious Node.js web shells on the server. The system does not validate file extensions, MIME types, or file content during uploads. Uploaded shells expose HTTP endpoints capable of executing arbitrary commands if triggered. The uploaded shell does not automatically execute, but its presence allows future exploitation via administrator error or chained vulnerabilities.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.